Transcription

1 WHITE PAPER Finding Threats in Linux Memory The Value of Memory Integrity Verification Linux powers critical web and cloud infrastructure for organizations around the world. Not surprisingly, it has become a major target for cybercrime and cyber espionage. In the past year, financially motivated attackers have launched large-scale Linux-targeted threat attack campaigns across critical infrastructure, retail, healthcare, and financial and brokerage organizations. This white paper explores the magnitude of threats against Linux systems, and why organizations are looking at memory integrity as a superior approach for detecting threats on Linux systems. Memory integrity ensures that systems are running exactly the software they are supposed to be running, and flagging anything that should not be there.

4 Linux Systems: A Major Target Linux is an open source operating system beloved by enthusiasts because the price is right and the license provides the freedom to tinker. From its earliest days, Linux has powered numerous web servers and other Internet infrastructures worldwide. Over the past decade, Linux has increasingly been adopted for commercial use. Today, Linux is widely used in corporate data centers and is a formidable presence in nearly all realms of computing. What is even more surprising is that only 58% of IT professionals indicated they run antivirus on both Windows and Linux servers. 1 Threat Attacks on the Upswing In early 2014, Syngress published the Malware Forensics Field Guide for Linux Systems, which stated that: servers. 3 The Linux botnet Mayhem, which spread through ShellShock exploits, affected 1,400 servers. 4 Unfortunately, Operation Windigo and Mayhem are still active using the ShellShock Bash vulnerability and other means to spread to new victims. Throughout 2014, Linux continued to be hounded by longstanding, widespread, and easily exploited vulnerabilities, such as the aforementioned ShellShock, a.k.a. Bashdoor. ShellShock enables the processing of requests that an attacker can use to gain unauthorized access to assets. One report noted that it was unclear how many systems ShellShock affected, but it was likely in the millions. 5 Trends in malware incidents targeting Linux systems combined with the ability of modern Linux malware to avoid common security measures make malware incident response and forensics a critical component of any risk management strategy in any organization that utilizes Linux systems. 2 Those words were prophetic. It turns out that 2014 was the biggest year to date for cyber-attacks, and there is no indication that things are about to slow down. Given the incredible number of threat attacks reported in 2014, and the fact that Linux systems are a growing threat target, this paper assumes that a major percentage of past and future attacks have and will target Linux systems. Nearly every large organization has business critical systems based on Linux including critical infrastructure providers, utilities and energy companies, banks and other financial services, health care companies, media and entertainment firms, and high-tech companies. As it has moved from niche player to a core technology underpinning for global enterprises, Linux has become a major target for cybercrime and cyber espionage. Marketoonist, LLC Then there were the targeted cyber-espionage operations that used custom threats targeting Linux systems attributed to government-resourced attackers, such as Evanescent Bat and Turla. The Turla campaign, also known as Epic Turla, spread into 45 countries in an infection spree aimed at government operations and pharmaceutical companies. Linux Attacks Were On The Move in 2014 Windigo Infects 500,000 Computers March ShellShock Continues to Infect Millions September In 2014, Linux fell victim to several large-scale threat campaigns run by financially motivated attackers. Operation Windigo infected more than 500,000 computers and 25,000 dedicated July Mayhem Infects 1,400 Servers December Turla Affects 45 Countries 1 Source: Sophos Research Report, You might be surprised by how few businesses protect their Linux servers with antivirus. May 26, John Zorabedian. https://blogs.sophos.com/2015/05/26/you-might-be-surprised-by-how-few-businesses-protect-their-linux-servers-with-antivirus/ 2 Source: Cameron H. Malin, Eoghan Casey, James M. Aquilina, Malware Forensics Field Guide for Linux Systems (Syngress, 2014), Source: and com/2014/03/operation-windigo-linux-malware.html 4 Source: 5 Source: 4

5 Threats Spare No Industry Threats are not limited to specific industries. Hackers follow the money and attack critical infrastructure, retail, healthcare, and financial sectors. One key component of successful attacks, regardless of industry, is that overburdened IT and security teams fail to notice the incursions until it is too late. With threats spanning industries and use of Linux systems on the rise, it is likely that Linux is a threat target in every organization. Critical Infrastructure According to the Department of Homeland Security (DHS), an unnamed U.S. public utility was attacked in The hack sought access to the utility s control system network. The report notes that, hackers may have launched the latest attack through an Internet portal that enabled workers to access the utility s control systems. This brute force attack was not the only one launched on critical infrastructure. DHS also reported that an attacker gained access to a utility s mechanical device and maintained access over a period of time. Although the number of Linux systems affected was not specifically reported, it can be assumed that some number of them were Linux based. Retail The retail business is littered with attacks. Target is the most high-profile example, and that was a damaging incursion that will take years for the company to recover from. However, there were others in retail that suffered from attacks, including Neiman Marcus, Michaels, ebay and Home Depot. The breach of Target cost the company $148 million. 7 To date, Home Depot chalked up $48 million for its data breach. 8 Healthcare With millions of records that contain personally identifiable information, healthcare is especially vulnerable to attack. In one healthcare related attack, an operator of more than 200 hospitals in the U.S. experienced 4.5 million patient records stolen. The records included names, Social Security numbers, physical addresses, birthdays and telephone numbers. In August 2014, the Washington Post reported that healthcare breaches hit 30 million patients. The report notes that, since federal reporting requirements kicked in, the U.S. Department of Health and Human Services database of major breach reports (those affecting 500 people or more) has tracked 944 incidents affecting personal information from about 30.1 million people. A majority of those records are tied to theft (17.4 million people), followed by data loss (7.2 million people), hacking (3.6 million) and unauthorized access accounts (1.9 million people). 9 Given the incredible number of threat attacks reported in 2014, and the fact that Linux systems are a growing threat target, this paper assumes that a major percentage of past and future attacks have and will target Linux systems. Financial and Brokerage Services In February 2015, the Carbanak hacking group stole $1 billion from banks around the globe. The operation struck banks in about 30 countries, according to a report of Kaspersky s finding in ZDNet. 10 In its report, Kaspersky notes that the use of a Secure Shell (SSH) backdoor to communicate with the C2 server in (operatemesscont.net) indicates that the attackers did not limit themselves to Microsoft Windows environments. 11 THE COST OF A BREACH What is Your Reputation Worth? The infamous Target data breach cost the retailer more than just financial loss, but the dollars and cents were staggering. Forbes reported the retailer s profit fell nearly 50% in the last quarter of 2013 and more than a third for all of The magazine also reported the hard loss from the data breach came in at $148 million. However, there were other costs as well. The CEO lost his job, and the company suffered a loss of reputation that is incalculable. Maybe your business is not as high profile as Target. So how does a major breach affect you? Ponemon Institute s Cost of a Data Breach study shows that the average cost of a data breach is about $3.5 million. The average cost for a compromised record is more than $ Source: 7 Source: 8 Source: https://threatpost.com/home-depot-breach-cost-company-43-million-in-third-quarter/ Source: health-care-data-breaches-have-hit-30m-patients-and-counting/ 10 Source: 1-billion-from-banks-worldwide/ 11 Source: https://securelist.com/files/2015/02/carbanak_apt_eng.pdf

6 How SureView Memory Integrity Works Threat detection, based on memory integrity verification, is blazing a new trail. SureView Memory Integrity from Raytheon Websense, is a solution that takes a completely different approach to threat detection than traditional endpoint security products. Using memory forensics, it undertakes threat detection through integrity verification. For threats to actively run on a computer, they must do so in physical memory. Instead of trying to identify known threats, which we already know to be a losing proposition, SureView Memory Integrity verifies the contents of memory against what should be in memory, based on known references. It then flags anything found in memory that does not match expectations. SureView Memory Integrity uses the code published by Linux distribution vendors (e.g., Red Hat, CentOS, Ubuntu, Debian, and Fedora) as the basis for what should be running in memory. Users augment this reference set with the custom and thirdparty software in use in their environment. SureView Memory Integrity operates enterprise-wide, reconstructing the state of Linux systems such as programs running, open files, and loaded modules by reading the kernel data structures from physical memory. The solution then verifies that a system is running only known software, while detecting rootkits, backdoors, injected code, unauthorized processes, and other signs of intrusions. When it detects a compromise, SureView Memory Integrity notifies system administrators and security teams and enables quick, in-depth investigation and response. The solution s alerts easily integrate with existing SIEMs. Besides being top defense grade quality, SureView Memory Integrity is also scablable and grows as the organization expands. CUSTOMER PROFILE: Global High-Frequency/Algorithmic Trading Firm Deploys SureView Memory Integrity Enterprise-wide This firm suspected an intrusion and realized it lacked the ability to determine if its Linux systems were compromised. A trusted partner recommended the firm look at signature-less threat detection based on memory forensics. During a proof-of-concept evaluation, SureView Memory Integrity detected stealthy threats that no other product found. The firm subsequently deployed SureView Memory Integrity enterprise-wide on 5,000 globally distributed servers and workstations with no impact on critical production systems. SureView Memory Integrity Architecture Enterprise Scale Linux Memory Integrity Verification SureView Memory Integrity Server Reference Data Repository Linux Targets SIEM SureView Memory Integrity is everything my firm needs to keep us apprised of what is actually running on our Linux system and will notify us if our network is at risk. SureView Memory Integrity has totally raised the bar of excellence for all other security products my firm uses. ---Director of Information Technology Large Global Financial Services Company 6

7 SureView Memory Integrity Graphical User Interface The graphical user interface for SureView Memory Integrity gives analysts the ability to take a deep dive into the status of a specific system with an easy-to-understand layout. Integration with SIEMS SureView Memory Integrity integrates seamlessly with SIEMs (such as Splunk), so that with a quick glance, an analyst can see SureView Memory Integrity alert activity from automated scans over time and across the enterprise. This enables correlations between alerts and with other security data sources

8 SUREVIEW MEMORY INTEGRITY USE CASE: Detecting Shellshock Bash Bug Malware on a Linux Server An Incident Response Engineer, employed by a financial services company, suspects an intrusion into the organization s Linux system but lacks the ability to determine if they are truly compromised. She needs to have better visibility to understand if the systems are infected. A persistent attacker had indeed infected the system by sending an HTTPS request containing specifically crafted variables to exploit the Shellshock Bash Bug vulnerability. A command was contained in a variable that triggered back door program and had infected the server. Even if the server was patched against the vulnerability, the malware would escape detection and exist on the machine. About Raytheon Websense Raytheon Websense portfolio of cyber security solutions provides unprecedented visibility into the enterprise and utilizes advanced analytics to enable a new level of cyber risk management. Through continuous monitoring of end points, user activity and other key assets, real-time data is collected and analyzed so decisions can be made instead of merely reacting to alerts. With over twenty years of experience in developing and implementing products for some of the most sensitive and critical enterprise systems operating in the world today, customers trust solutions from Raytheon Websense because they are scalable, secure, architecturally superior and cost effective. To confirm her suspicion, she runs SureView Memory Integrity that obtains an image of the code running in memory on the suspected system. The solution further compares the snapshot from memory with an approved image and alerts her on the anomaly. With access to the alert and additional forensics information from the SIEM s console, she can now conduct further investigations to determine the compromise and decide on remedial actions. Conclusion Traditional endpoint security products are not sufficient to protect Linux systems. The headlines tell the story of numerous attacks that companies do not see until it is too late. With Linux at the center of so much of the world s computing infrastructure, it is time for a different approach. Organizations need to deploy memory integrity verification to rapidly detect the threats facing Linux systems today. This approach eliminates unreliable traditional approaches to threat detection and provides positive assurance that systems are running only the software they are supposed to be running. SureView Memory Integrity, from Raytheon Websense is a Linux memory integrity verification solution that supports many different Linux distributions and versions. It operates at enterprise scale and is architected for ease of deployment and integration. Besides being top defense grade quality, SureView Memory Integrity is also scablable and grows as the organization expands. For further information contact: Raytheon Websense Worldgate Drive, Suite 600 Herndon, Virginia USA Trademarks and registered trademarks are property of their respective owners. Cleared for Public Release. Internal Reference #E15-K3P7 Copyright 2015 Raytheon Company. All rights reserved

Under the Hood of the System The Nuts and Bolts of the Dynamic Attack Chain 1 Balazs Csendes IBM Security Intelligence Leader, CEE balazs.csendes@cz.ibm.com 1 You are an... IT Security Manager at a retailer

CYBER SECURITY THREAT REPORT Q1 Moving Forward Published by UMC IT Security April 2015 0 U.S. computer networks and databases are under daily cyber-attack by nation states, international crime organizations,

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

WHITE PAPER: REDUCING THE COST AND COMPLEXITY OF WEB..... VULNERABILITY.............. MANAGEMENT..................... Reducing the Cost and Complexity of Web Vulnerability Management Who should read this

Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential

I ve been breached! Now what? THE AFTERMATH OF A BREACH & STEPS TO REDUCE RISK The number of data breaches in the United States in 2014 hit a record high. And 2015 is not looking any better. There have

A MainNerve Whitepaper Overview The data security challenges within the business world have never been as challenging as they are today. Not only must organizations providers comply with stringent State

Security Secure server workloads with low performance impact and integrated management efficiency. Suppose you had to choose between securing all the servers in your data center physical and virtual or

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target

ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave

Executive s Guide to Windows Server 2003 End of Life Facts About Windows Server 2003 Introduction On July 14, 2015 Microsoft will end support for Windows Sever 2003 and Windows Server 2003 R2. Like Windows

Redefining Incident Response How to Close the Gap Between Cyber-Attack Identification and Remediation WHITE PAPER - How to Close the Gap Between Cyber-Attack Identification and Remediation 1 Table of Contents

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security. 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco public information. (1110R) 1 In the past

Advanced Analytics For Real-Time Incident Response A REVIEW OF THREE KNOWN CASES AND THE IMPACT OF INVESTIGATIVE ANALYTICS Introduction Every year, cyber criminals become stronger and more sophisticated

WHITE PAPER Managed Security Five Reasons to Adopt a Managed Security Service Introduction Cyber security presents many organizations with a painful dilemma. On the one hand, they re increasingly vulnerable

PCI DSS Top 10 Reports March 2011 The Payment Card Industry Data Security Standard (PCI DSS) Requirements 6, 10 and 11 can be the most costly and resource intensive to meet as they require log management,

BeyondInsight Version 5.6 New and Updated Features BeyondInsight 5.6 Expands Risk Visibility Across New Endpoint, Cloud and Firewall Environments; Adds Proactive Threat Alerts The BeyondInsight IT Risk

ADVANCED THREATS IN THE ENTERPRISE Finding an Evil in the Haystack with RSA ECAT White Paper With thousands of workstations and servers under management, most enterprises have no way to effectively make

RETHINKING CYBER SECURITY CHANGING THE BUSINESS CONVERSATION INTRODUCTION Advanced Persistent Threats (APTs) and advanced malware have been plaguing IT professionals for over a decade. During that time,

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protecting a business s IT infrastructure is complex. Take, for example, a retailer operating a standard multi-tier infrastructure

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY. A guide for IT security from BIOS The Problem SME s, Enterprises and government agencies are under virtually constant attack today. There

The Imperva Story Who We Are Imperva is the global leader in data security. Thousands of the world s leading businesses, government organizations, and service providers rely on Imperva solutions to prevent

McAfee Acquires NitroSecurity McAfee announced that it has closed the acquisition of privately owned NitroSecurity. 1. Who is NitroSecurity? What do they do? NitroSecurity develops high-performance security

Threat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437 Specialist Security Training Catalogue Did you know that the faster you detect a security breach, the lesser the impact to the organisation?

White Paper Content Security: Protect Your Network with Five Must-Haves What You Will Learn The continually evolving threat landscape is what makes the discovery of threats more relevant than defense as

SOLUTION OVERVIEW: ALERT LOGIC FOR HIPAA COMPLIANCE AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE Alert Logic provides organizations with the most advanced and cost-effective means to secure their healthcare

WHITE PAPER How to Secure Your SharePoint Deployment Some of the sites in your enterprise probably contain content that should not be available to all users [some] information should be accessible only

IBM Software Win the race against time to stay ahead of cybercriminals Get to the root cause of attacks fast with IBM Security QRadar Incident Forensics Highlights Help reduce the time required to determine

FINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES Kaspersky Lab 2 Corporate IT Security Risks Survey details: More than 5,500 companies in 26 countries around the world

RETHINKING CYBER SECURITY Introduction Advanced Persistent Threats (APTs) and advanced malware have been plaguing IT professionals for over a decade. During that time, the traditional cyber security vendor

Securing the Internet of Things OEM capabilities assure trust, integrity, accountability, and privacy. The number of Internet-connected smart devices is growing at a rapid pace. According to Gartner, the

DATASHEET Protect Your Business and Customers from Online Fraud What s Inside 2 WebSafe 5 F5 Global Services 5 More Information Online services allow your company to have a global presence and to conveniently

ENABLING FAST RESPONSES TO Security INCIDENTS WITH THREAT MONITORING Executive Summary As threats evolve and the effectiveness of signaturebased web security declines, IT departments need to play a bigger,

Building a Business Case: Cloud-Based Security for Small and Medium-Size Businesses table of contents + Key Business Drivers... 3... 4... 6 A TechTarget White Paper brought to you by Investing in IT security

Attribution: The Holy Grail or Waste of Time? Billy Leonard Google Should this be the end, our Holy Grail? How s that picture going to help you now? But, the pictures make me safer! We can do better. Our

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES By James Christiansen, VP, Information Risk Management Executive Summary Security breaches in the retail sector are becoming more

Anti-exploit tools: The next wave of enterprise security Intro From malware and ransomware to increasingly common state-sponsored attacks, organizations across industries are struggling to stay ahead of

Topic 1 Lesson 1: Importance of network security 1 Initial list of questions Why is network security so important? Why are today s networks so vulnerable? How does Melissa virus work? How does I love you

Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control

Enterprise Security Solutions OVERVIEW For more than 25 years, Trend Micro has innovated constantly to keep our customers ahead of an everevolving IT threat landscape. It s how we got to be the world s

Gaining the SITUATIONAL AWARENESS needed to MITIGATE CYBERTHREATS Industry Perspective EXECUTIVE SUMMARY To become more resilient against cyberthreats, agencies must improve visibility and understand events

IBM Endpoint Manager for Security and Compliance A single solution for managing endpoint security across the organization Highlights Provide up-to-date visibility and control from a single management console